CVE-2026-11452: GL.iNet GL-MT3000 Command Injection Vulnerability – Firmware Update Required
A command injection vulnerability exists in GL.iNet's GL-MT3000 router firmware versions up to 4.4.5. An attacker can remotely send a specially crafted password parameter to the SET_USER_PWD handler in the /cgi-bin/glc component, allowing arbitrary command execution on the device without authentication. The vulnerability stems from insufficient input validation when processing password input. GL.iNet has addressed this issue in firmware version 4.8.1 by properly escaping shell metacharacters and containing the password parameter within a safe execution context.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-77
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-07 / 2026-06-17
NVD description (verbatim)
A vulnerability has been found in GL.iNet GL-MT3000 up to 4.4.5. Affected is the function FUN_0042e200 of the file /cgi-bin/glc of the component SET_USER_PWD Handler. The manipulation of the argument Password leads to command injection. The attack can be initiated remotely. Upgrading to version 4.8.1 is able to address this issue. The affected component should be upgraded. The vendor explains: " The current code escapes single quotes in the password parameter and handles it inside a shell single‑quote context. The payloads in the report, which rely on $() or backticks to trigger command substitution, are not executed under the current code path. We tested on a GL‑MT3000 device running firmware 4.8.1 using similar payloads, and no command‑execution marker file was created."
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in function FUN_0042e200 within the SET_USER_PWD handler of /cgi-bin/glc. The root cause is improper sanitization of the Password parameter before passing it to a shell execution context. While the affected firmware versions attempted to escape single quotes, they failed to prevent other shell metacharacters (such as command substitution operators) from being interpreted. An unauthenticated remote attacker can inject arbitrary shell commands by crafting payloads that leverage command substitution syntax, allowing code execution with the privileges of the web server process. The fix in version 4.8.1 implements comprehensive escaping and uses a shell single-quote context that safely isolates user input.
Business impact
Compromise of GL-MT3000 routers could lead to complete device takeover, allowing attackers to intercept network traffic, modify routing rules, conduct man-in-the-middle attacks, or use the device as a pivot point into downstream networks. For small businesses and home office environments relying on these devices, unauthorized access could result in data theft, credential harvesting, and lateral movement into connected systems. The remote, unauthenticated nature of the attack means no prior access or user interaction is required, increasing the attack surface significantly.
Affected systems
GL.iNet GL-MT3000 devices running firmware versions 4.4.5 and earlier are vulnerable. The vulnerability affects all instances accessible over a network unless protected by external firewall rules. Devices that have been updated to firmware version 4.8.1 or later are not affected.
Exploitability
This vulnerability is highly exploitable. It requires no authentication, no user interaction, and can be triggered over the network. The attack complexity is low—an attacker need only send an HTTP request to the affected CGI handler with a malicious password parameter. The payloads do not require specialized timing or race conditions. Exploitation would allow an attacker to execute arbitrary commands on the router with web server privileges, which typically run as root or a high-privilege system user on embedded devices.
Remediation
Immediately upgrade GL-MT3000 firmware to version 4.8.1 or later. Verify the upgrade by checking the device's firmware version in the web interface or CLI. If immediate upgrading is not feasible, restrict network access to the /cgi-bin/glc endpoint using firewall rules on upstream network devices. Consider disabling remote management features if not actively required. After patching, audit device logs for signs of prior exploitation.
Patch guidance
Download the latest firmware from GL.iNet's official support portal and follow their documented upgrade procedure. Ensure the device remains powered on and connected during the update. Verify successful installation by confirming the firmware version matches 4.8.1 or a later release. Test basic connectivity and user authentication after the update to confirm proper operation. For organizations managing multiple GL-MT3000 devices, consider scheduling updates during a maintenance window to avoid service disruption.
Detection guidance
Monitor web server access logs on GL-MT3000 devices for unusual POST requests to /cgi-bin/glc with the SET_USER_PWD parameter containing special characters, command substitution operators ($(), backticks), or shell metacharacters. Intrusion detection systems should flag attempts to access this endpoint with payloads containing command injection patterns. Network-based detection can identify attempts using YARA rules or IDS signatures matching command injection syntax in HTTP parameters. File integrity monitoring on the device itself could alert to unexpected command execution or file creation by the web server process.
Why prioritize this
This vulnerability merits immediate remediation due to its combination of high CVSS score (7.3), unauthenticated remote exploitability, and low attack complexity. The lack of barriers to exploitation and the device's role as a network access point make it an attractive target for attackers seeking persistent network presence. Organizations should treat this as a priority patch candidate.
Risk score, explained
The CVSS 3.1 score of 7.3 (HIGH) reflects a remotely exploitable vulnerability with no authentication required (AV:N, PR:N), low attack complexity (AC:L), and potential impact to confidentiality, integrity, and availability (C:L, I:L, A:L). The score appropriately captures that while direct availability impact may be partial, full device compromise enables broad attacks on connected networks. The absence of the vulnerability from CISA's KEV catalog at the time of publication does not diminish its severity—it indicates either recent discovery or limited current exploitation, not reduced risk.
Frequently asked questions
What is the difference between firmware 4.4.5 and 4.8.1 regarding this vulnerability?
Firmware 4.4.5 and earlier versions use incomplete input sanitization that allows shell metacharacters to be interpreted in the password parameter, enabling command injection. Version 4.8.1 implements comprehensive escaping and shells the password input within a safe single-quote context where special characters are treated as literals, preventing command substitution from executing.
Do I need to authenticate to exploit this vulnerability?
No. The vulnerability exists in the SET_USER_PWD handler, which is typically accessible without prior authentication. This is a common design pattern in router web interfaces to allow password reset, but it creates a significant attack surface if input validation is inadequate.
What commands can an attacker execute if they exploit this?
An attacker can execute any shell command with the privileges of the web server process. On embedded Linux devices, this often includes root-level access, allowing complete device takeover including viewing configuration files, modifying firewall rules, intercepting traffic, or installing persistent malware.
If my GL-MT3000 is behind a corporate firewall, am I still at risk?
Your router is protected from external attackers if the firewall blocks inbound traffic to the management interface. However, if internal users or compromised internal systems can reach the device, they could exploit the vulnerability. Additionally, verify that remote management is disabled in the router settings to ensure the web interface is not accessible over WAN.
This analysis is provided for informational purposes based on available vulnerability data and vendor guidance. SEC.co does not conduct independent testing or verification of patches. Organizations should validate patch effectiveness in their own environments before broad deployment. The absence of a vulnerability from CISA's KEV catalog does not imply lower risk or lower exploitability. Refer to GL.iNet's official security advisories and support documentation for authoritative patch information and migration guidance. Security assessments should be conducted with vendor input and appropriate change management controls. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11450HIGHGL.iNet GL-MT3000 Remote Command Injection Vulnerability
- CVE-2026-11451HIGHGL.iNet GL-MT3000 Remote Command Injection in FTP Handler
- CVE-2026-10060MEDIUMTRENDnet TEW-432BRP Command Injection—End-of-Life Router Vulnerability
- CVE-2026-10061MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Remediation via Replacement
- CVE-2026-10127MEDIUMEdimax BR-6478AC Command Injection in Firmware 1.23
- CVE-2026-10166MEDIUMEdimax BR-6478AC Command Injection – Authentication Required
- CVE-2026-10180MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Hardware Retirement Required
- CVE-2026-10182MEDIUMTRENDnet TEW-432BRP Command Injection – Unpatched EOL Device